Microsoft OneDrive File Picker Flaw Grants Apps Full Cloud Access — Even When Uploading Just One File

Cybersecurity researchers have discovered a security flaw in Microsoft's OneDrive File Picker that, if successfully exploited, could allow websites to access a user's entire cloud storage content, as opposed to just the files selected for upload via the tool. "This stems from overly broad OAuth scopes and misleading consent screens that fail to clearly explain the extent of access being granted," the Oasis Research Team said in a report shared with The Hacker News. "This flaw could have severe consequences, including customer data leakage and violation of compliance regulations." It's assessed that several apps are affected, such as ChatGPT, Slack, Trello, and ClickUp, given their integration with Microsoft's cloud service. The problem, Oasis said, is the result of excessive permissions requested by the OneDrive File Picker, which seeks read access to the entire drive, even in cases only a single file is uploaded due to the absence of fine-grained OAuth scopes for OneDrive. Compounding matters further, the consent prompt users are presented with prior to a file upload is vague and does not adequately convey the level of access being granted, thereby exposing users to unexpected security risks. "The lack of fine-grained scopes makes it impossible for users to distinguish between malicious apps that target all files and legitimate apps that ask for excessive permissions simply because there is no other secure option," Oasis noted. The New York-based security company…Read More